Entourage 2008 and Kerberos Part 2

[Peter-Erik_van_Riet]

Version: 2008
Operating System: Mac OS X 10.5 (Leopard)
Processor: Intel
Email Client: Exchange

First question:

<http://www.officeformac.com/ms/ProductForums/Entourage/9985/0>

but this is closed so i started part 2. Is it an Apple or Entourage problem?
We work here with two domain controllers (dc1 & dc2) can this be the problem that Kerberos authentication is not working in Entourage?

 

[William Smith [MVP]]

First question:

<http://www.officeformac.com/ms/ProductForums/Entourage/9985/0>

but this is closed so i started part 2. Is it an Apple or Entourage
problem? We work here with two domain controllers (dc1 & dc2) can
this be the problem that Kerberos authentication is not working in
Entourage?

Are you using Windows Server's DNS servers or do you have a non-Windows
DNS system?

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Peter-Erik_van_Riet]

We are using Windows Server DNS.

 

[William Smith [MVP]]

We are using Windows Server DNS.

Your setup is fine and you should be able to get this to work.
Non-Windows DNS servers can cause problems but since you are using
Windows then everything should be easier.

Since you have two domain controllers then you also have two DNS
servers, which are critical to Kerberos. Are you making sure to hand out
your DNS server addresses with your DHCP assignments or, if you're
hard-coding addresses, are you including DNS servers? You must point
your Macs to one of your servers and not to an external DNS address.

Use the Network Utility found in /Applications/Utilities to test both
forward (name resolves to IP) and reverse (IP resolves to name)
addresses. Make sure your DNS resolves these properly.

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Peter-Erik_van_Riet]

Bill

The network settings are set on DHCP and there are two (received) (internal) DNS servers (dc1(10.0.1.10) & dc2(10.0.1.20))

In Terminal:

host 10.0.1.10
10.1.0.10.in-addr.arpa domain name pointer srv-dc1.xxxxxxxx.local.
host 10.0.1.20
20.1.0.10.in-addr.arpa domain name pointer srv-dc2.xxxxxxxx.local.

host srv-dc1.xxxxxxxx.local
srv-dc1.xxxxxxxx.local has address 10.0.1.10
host srv-dc2.xxxxxxxx.local
srv-dc2.xxxxxxxx.local has address 10.0.1.20

Seems to me that everything is working properly.

 

[Peter-Erik_van_Riet]

Extra info: We have here a proxy server running.

 

[William Smith [MVP]]

Extra info: We have here a proxy server running.

A proxy shouldn't affect your internal machines. Do be sure that you're
pointing your Entourage clients to an internal back-end Exchange Server
and not an external Outlook Web Access (OWA) server.

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Peter-Erik_van_Riet]

We dont' have no Front-end or Back-end installed is just a mail server thats all

 

[William Smith [MVP]]

We dont' have no Front-end or Back-end installed is just a mail
server thats all

Then be sure you are using an internal address to the server and not an
address that's accessible from the Internet.

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Peter-Erik_van_Riet]

We only use internal ip. (remember kerberos is working) What can i test more or what can i check on the Exchange server?

 

[Peter-Erik_van_Riet]

Bill do you have any suggestions ?

 

[William Smith [MVP]]

Bill do you have any suggestions ?

I can't help but notice you said you're using the server's IP address.
I'm not sure how this affects Kerberos. Can you try using the Exchange
Server's fully qualified domain name instead? Remember, Kerberos depends
on DNS and reverse lookups. Be sure your server name has a reverse
pointer too.

If that fails then I suggest a test.

Safari is Kerberized, which user who is logged in on a Mac bound to
Active Directory should be able to access his mail account without
having to authenticate again.

If your Exchange Server address in Entourage is something like:

server.example.com

then enter this into Safari:

server.example.com/exchange

You should immediately go into your account without authenticating. If
this doesn't work then you need to work with some Exchange folks to
troubleshoot Kerberos on the Exchange Server. I suggest posting your
question in the microsoft.public.exchange.admin newsgroup. Several
knowledgeable folks participate there and can hopefully answer your
question.

Hope this helps!

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Peter-Erik_van_Riet]

Thanks Bill

I try IP adres and FQDN both don't work

"Try of Safari is Kerberized"

<http://mail.xxxxxxxx.eu/exchange/> i get an error "The page must be viewed over a secure channel"

<https://mail.xxxxxxxx.eu/exchange/> I have to login with name and password but this is because its a secure channel?

 

[William Smith [MVP]]

<https://mail.xxxxxxxx.eu/exchange/> I have to login with name and
password but this is because its a secure channel?

No, this means that Kerberos is failing at the server. You should
definitely post this problem in the microsoft.public.exchange.admin
newsgroup.

--

bill

Entourage Help Page <http://entourage.mvps.org/>
Entourage Help Blog <http://blog.entourage.mvps.org/>
YouTalk <http://nine.pairlist.net/mailman/listinfo/youtalk>
Twitter: follow <http://twitter.com/meck>

 

[Peter-Erik_van_Riet]

Thanks Bill for your time i continue this on microsoft.public.exchange.admin newsgroup site.